Systems and methods for blockchain security data intelligence

ABSTRACT

Embodiments are directed to systems and methods configured to detect malware vulnerabilities in computational environments. The method includes receiving input data distributed among a plurality of nodes within a particular network, receiving the input data into a curator engine to convert the at least one input data into a payload having at least one message header, receiving the payload having the at least one message header into a transaction engine, and storing the payload having the at least one message header into a blockchain database. The method continues by processing the payload having the at least one message header to make a decision to transform or analyze the transaction based on a predetermined set of rules, converting the payload into a data file, evaluating the data file, aggregating the data file for a plurality of behavior models, and converting the data file into a valid message payload with a header.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a divisional application of U.S. patent applicationSer. No. 16/130,795 filed on Sep. 13, 2018, which claims the benefit ofU.S. Provisional Application No. 62/681,993, filed Jun. 7, 2018, thecontents of both are included herein by reference.

TECHNICAL FIELD

The present disclosure generally relates to security related data and,more particularly, to systems and methods for detecting and mitigatingblockchain security gathering, transmitting, sharing and processingsecurity related data between end users and devices across multipleplatforms.

BACKGROUND

As background, the growth of the World Wide Web (internet) has caused ahigher level of dependency on its various manifestations, such as thereliance on the globalization of services and commerce. However, theWorld Wide Web also has a growing risk of cybercrime. As such, becauseof the growing use of the World Wide Web combined with the availabilityof powerful computational systems at a lower price, cyber attackers havealso drastically improved their ability to make lethal malware programsthat adapt very rapidly using the concept of self-learning. Theseself-learning malware programs evade existing anti-virus detectiontechnologies by utilizing code obfuscation techniques, which iterativelymodify the malware and make it intelligent so each version appearsdifferent and undetectable by the traditional anti-virus programs.

As a result of the failure of traditional anti-virus programs, millionsof dollars in losses for large corporations including the theft ofintellectual property, financial theft, health data and personalidentifiable information are among the most common losses. In response,artificial intelligence (AI), which also uses a concept ofself-learning, has been used to detect the lethal malware programs.However, AI requires significant training and time to self-learn thedetection of these malware programs and there is a high number of falsepositives which results in the malware detection ratio being very low.Blockchain is just as susceptible as the World Wide Web to these lethalmalware programs.

Blockchain is used daily in the financial world for transactional data.As such, Blockchain is a transparent distributed technology that isimmutable, auditable by the public and is generally known to be a highlytrustworthy technology because every transaction record containidentifiers of previous transactions, which prevents the ability tocompromise a data record with the concept of distributed data. HoweverBlockchain alone cannot be used for detecting threats or malware in thecybersecurity landscape

Accordingly, a need exists for a system and method that combines theimmutable electronic method with artificial intelligence and the use ofbehavior analysis to detect and deter cyber threats in the blockchainenvironment.

SUMMARY

In one embodiment, a method for detecting vulnerabilities and anomaliesin a computational environment is provided. The method includesreceiving, from a client environment, at least one input datadistributed among a plurality of nodes within a particular network. Acurator engine receives, from at least one of the plurality of nodes,the at least one input data into. A transaction engine receives, fromthe curator engine, the at least one input data into a transactionengine. The at least one input data is evaluated for information andevents or vectors of attack, where the information and events or vectorsof attack as an indicator are ranked, the indicator or vector of attackare logged into the network, the indicator or vectors of attack arevalidated, and the indicator or vectors of attack are recorded into ablockchain database as a transaction having generated at least a firsttransaction identification. A rule engine processes the transaction soto make a decision to transform or analyze the transaction based on apredetermined set of rules. An action engine processes the transactionfrom the rule engine, wherein the action engine decides and generatesfeedback to the client environment.

In another embodiment, a method of detecting malware vulnerabilities ina computational environment is provided. The method includes receiving,from a client environment, at least one input data distributed among aplurality of nodes within a particular network, receiving, from at leastone of the plurality of nodes, the at least one input data into acurator engine to convert the at least one input data into a payloadhaving at least one message header, receiving, from the curator engine,the payload having the at least one message header into a transactionengine, and storing, from the transaction engine, the payload having theat least one message header into a blockchain database. The methodcontinues by processing, by a rule engine, the payload having the atleast one message header to make a decision to transform or analyze thetransaction based on a predetermined set of rules, converting, by thecurator engine, the payload having the at least one message header intoa data file, evaluating, by an external malware analysis engine, thedata file, aggregating, by a data aggregator, the data file for aplurality of behavior models, and converting, by the curator engine, thedata file into a valid message payload having a header. The header ofthe valid message payload is determined whether to be malware, by therule engine, assigning a second transaction and storing thedetermination prior to an action engine rejecting the header of thevalid message payload or permitting the header of the valid messagepayload as a validated message payload into the client environment.

In yet another embodiment, a method of detecting vulnerabilities andanomalies in a computational environment is provided. The methodincludes registering, by a unique identifier, an internet of thingsdevice to a transaction engine such that a unique signature is provided.The transaction engine determines a plurality of data to be collectedfrom the internet of things device. A blockchain database records theunique signature. A rule engine validates the unique signature so tomake a decision regarding a plurality of firmware and a plurality ofmachine code associated with the internet of things device based on apredetermined set of rules. An action engine processes the transactionfrom the rule engine and alerts feedback to a client environment,wherein. the plurality of firmware and machine code in the internet ofthings device is analyzed so to maintain enabled capabilities,shielding, and enforcing continuous working order.

In still yet another embodiment, a system of enforcing privacy policyregulations in a computational environment is provided. The systemincludes a client user interface, a client environment, and a swarmintelligence. The client environment has a plurality of first databases,a plurality of client applications, a curator engine, and an actionengine. The plurality of client applications includes a new userregister and a new user event. The plurality of client applications iscommunicatively coupled to the plurality of first databases. The curatorengine is communicatively coupled to both the client environment and theplurality of first databases. The swarm intelligence has a transactionengine, a blockchain database, and a rule engine. The swarm intelligenceis communicatively coupled to the client environment. The transactionengine is communicatively coupled to the curator engine and to theblockchain database. The blockchain database is communicatively coupledto the rule engine. The rule engine is communicatively coupled to theaction engine. The action engine is communicatively coupled to theclient user interface. The system is configured to execute and enforce aplurality of data traceability from an integrated system across abrowser, a session, a webserver, or a plurality of second databasesconfigured with a personal identifiable information by indexing thepersonal identifiable information from a genesis block such that a useris permitted to log, delete or encrypt the personal identifiableinformation according with current and future policy laws.

These and additional features provided by the embodiments describedherein will be more fully understood in view of the following detaileddescription, in conjunction with the drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The embodiments set forth in the drawings are illustrative and exemplaryin nature and not intended to limit the subject matter defined by theclaims. The following detailed description of the illustrativeembodiments can be understood when read in conjunction with thefollowing drawings, where like structure is indicated with likereference numerals and in which:

FIG. 1 schematically depicts a plurality of illustrative networkeddevices that may be used to provide a system of swarm intelligence fordetecting and deterring malware threats in a Blockchain environmentaccording to one or more embodiments shown or described herein;

FIG. 2 schematically depicts an overview diagram of a system having aswarm intelligence for detecting and deterring malware threats in ablockchain environment according to one or more embodiments shown anddescribed herein;

FIG. 3 schematically depicts a component diagram of the interaction ofthe overview diagram of FIG. 2 according to one or more embodimentsshown and described herein;

FIG. 4 schematically depicts a component diagram of the swarmintelligence of FIG. 2 according to one or more embodiments shown anddescribed herein;

FIG. 5 schematically depicts a component diagram of a plurality of nodesof FIG. 2 according to one or more embodiments shown and describedherein;

FIG. 6 schematically depicts a component diagram of swarm deploymentaccording to one or more embodiments shown and described herein;

FIG. 7 schematically depicts a component diagram of a malware analysisplatform according to one or more embodiments shown and describedherein;

FIG. 8 schematically depicts a component diagram of an internet ofthings processing platform according to one or more embodiments shownand described herein;

FIG. 9 schematically depicts a component diagram of a privacy policyregulation enforcement according to one or more embodiments shown anddescribed herein;

FIG. 10 schematically depicts a user interface according to one or moreembodiments shown and described herein;

FIG. 11 depicts a flow diagram of an illustrative method of researchingand reporting cyber threats according to one or more embodiments shownand described herein;

FIG. 12 depicts a flow diagram of an illustrative method of a systemstart-up according to one or more embodiments shown and describedherein; and

FIG. 13 depicts a flow diagram of an illustrative method of data flowand processing data to determine whether an incident of comprise hasoccurred according to one or more embodiments shown and describedherein.

DETAILED DESCRIPTION

Embodiments of the present disclosure are directed to systems andmethods for detecting vulnerabilities and anomalies in a computationalenvironment. The method uses self-learning intelligent systems with theability to detect, defend and alert threats or illegitimate behavior inthe computational environment. As such, the system is configured tocontinuously learn from various data sources, such as securityresearchers in which a swarm intelligence may be used either alone or inconjunction with machine learning and behavior analysis. Further, thesystem is configured to utilize blockchain distributed database toachieve transparency of all the transactions. The system is furtherconfigured to use advanced adaptation and distribution of intelligencemaking each node or endpoint extremely intelligent and fast toproactively act on various threats.

As such, embodiments of the present disclosure are configured to useblockchain technology combined with machine learning and behavioranalysis with swarm intelligence to maximize computational power byleveraging smart decision making contracts that validate transactionsbetween network devices, shares encrypted and protected informationabout their functions, events across the network of clients and makesmart swarm decisions. In some embodiments, the system also enables fullauditing and control of the deployed network and devices. The system isalso constantly learning and accumulating new data creating a repositorythat keeps growing.

Whenever possible, the same reference numerals will be used throughoutthe drawings to refer to the same or like parts. One embodiment of asystem for detecting vulnerabilities and anomalies in a computationalenvironment is depicted in FIG. 1, in which the system includes one ormore server computing devices, one or more user computing devices,and/or one or more mobile devices that are particularly interconnectedto provide the capability described herein. The system in FIG. 1provides a particularly configured platform that utilizes a blockchainconstruct to manage connections between members of a swarm, and/or aplurality of nodes, particularly with respect to connecting securityresearchers from all over the globe so to validate information andevents or vectors of attack. The indicators or vectors of attack arerecorded into a blockchain database so to be distributed throughout theswarm and/or the plurality of nodes to protect those connected fromunwanted intrusions, malware, vulnerabilities, and/or the like.

The phrase “communicatively coupled” is used herein to describe theinterconnectivity of various components of the system for detectingvulnerabilities and anomalies in a computational environment and meansthat the components are connected either through wires, optical fibers,or wirelessly such that electrical, optical, and/or electromagneticsignals may be exchanged between the components. It should be understoodthat other means of connecting the various components of the system notspecifically described herein are included without departing from thescope of the present disclosure.

The phrase “agent” as used herein generally refers to a piece ofsoftware, a processing unit programmed to perform one or multiple tasks.an agent can take on any role. For example, an agent may act as a ruleengine, a transaction engine, a curator, and/or the like.

The phrase “alert” as used herein generally refers to notificationsabout an event that has occurred or may potentially occur in a computerenvironment.

The phrase “blockchain” as used herein generally refers to a digitized,decentralized, public ledger of all transactions. Each node (a computerconnected to the network) gets a copy of the blockchain, which isdownloaded automatically.

The phrase “blockchain database” as used herein generally refers to adecentralized, distributed database that uses blockchain technology.Control is decentralized. Transactions are transparent across to allusers and are processed by a network of users so that everyone iscreating the same shared system of record simultaneously.

The phrase “curator” as used herein generally refers to processes andtransforms the information to a structure readable by other components.

The phrase “curator engine” as used herein generally refers to curatinginformation that is gathered by node clients.

The phrase “dynamic hash table” (DHT) as used herein generally refers toa data structure which implements an associative array abstract datatype, a structure that can map keys to values. A hash table uses a hashfunction to compute an index into an array of buckets or slots, fromwhich the desired value can be found, (key, value) pairs are stored in aDHT, and any participating node can efficiently retrieve the valueassociated with a given key.

The phrase “vulnerability” as used herein generally refers to usually aflaw or a weakness in a computer software application that can beexploited by an outside threat actor to perform unauthorized actions ina computer based environment.

The phrase “enterprise resource planning” (ERP) as used herein generallyrefers to the integrated management of core business processes, bysoftware and technology. ERP is usually a suite of integratedapplications with several modules. Each module is a category ofbusiness-management software. The software modules include but notlimited to human resources, supply chain management, customerrelationship management, and/or the like. Commercially available systemsmay include Microsoft Dynamics, SAP, Oracle, and/or the like.

The phrase “event module” as used herein generally refers to creatingevents and processes different types of actions. Anything that requiresaction is sent to the event module which will define the action androutes the information accordingly. Event module may be group of nodesor agents.

The phrase “hive” as used herein generally refers to a collection ofswarms. Each hive can hold multiple roles and or functions depending ontheir role setup at its genesis. The deployed hive can only be accessedby a set of permissioned keys, keys that are enforced by Blockchainsmart contracts.

The phrase “information and events” (IAE) as used herein generallyrefers to an indicators of activity (IOA), an indicator of events (IOE),an indicators of comprise (IOC), or an indicators of usage (IOU).

The phrase “Internet of Things” (IoT) as used herein generally refers tothe ever-growing network of physical objects that feature an IP addressfor internet connectivity, and the communication that occurs betweenthese objects and other Internet-enabled devices and systems. Thesephysical objects include sensor devices that take in environmentalreadings like temperature, pressure, volume, and/or the like with anembedded firmware and relaying that information over wired or wirelesscommunication channels to a graphical user interface (GUI) on an enduser application or device.

The phrase “application program interface” (API) as used hereingenerally refers to a software intermediary that allows two diversesoftware applications to communicate between each other so that theoutput of one application can be fed as an input to the next applicationcreating a more unified system in software. API can also be used for thefirmware written in an embedded systems program of Internet of Things(IoT) to communicate with a user dashboard or another softwareapplication for example so that the related hardware sensor from the IoTdevices is interpreted by a User interface software.

The phrase “malware” as used herein generally refers to malicioussoftware written deliberately and is intended to damage or disablecomputers, servers, computer networks and computer systems to cause harmor steal information from the target computer system. This form ofsoftware includes but not limited to executable code, active content,scripts, and/or the like. Further, this form of software may be a fileor file less.

The phrase “ransomware” as used herein generally refers to a form ofmalware that encrypts targeted computer systems and locks down thesystem until a reward or another form of monetary payment is made. Theintended user is usually tricked into downloading a file that comes inan attachment on email application.

The phrase “machine learning” as used herein generally refers to anapplication of artificial intelligence (AI) that provides systems theability to automatically learn and improve from experience without beingexplicitly programmed. Machine learning generally focuses on thedevelopment of computer programs that can access data and use it learnfor themselves. The process of learning may begin with observations ordata, such as, for example, direct experience or instruction, in orderto look for patterns in data and make better decisions in the futurebased on the examples that are provided. The primary aim may be to allowthe computers learn automatically without human intervention orassistance and adjust actions accordingly. Machine learning algorithmsare often categorized as supervised or unsupervised. Supervisedalgorithms may apply what has been learned in the past to new data usinglabeled examples to predict future events. Starting from the analysis ofa known training dataset, the learning algorithm may produce an inferredfunction to make predictions about the output values. The system may beable to provide targets for any new input after sufficient training. Thelearning algorithm can also compare its output with the correct,intended output and find errors in order to modify the modelaccordingly. In contrast, unsupervised algorithms may be used when theinformation used to train is neither classified nor labeled.Unsupervised learning generally studies how systems may infer a functionto describe a hidden structure from unlabeled data. The system may notfigure out the right output, but it explores the data and can drawinferences from datasets to describe hidden structures from unlabeleddata. Reinforcement algorithm may be a learning method that interactswith its environment by producing actions and discovers errors orrewards. Trial and error search and delayed reward are the most relevantcharacteristics of reinforcement learning. This method may allowmachines and software agents to automatically determine the idealbehavior within a specific context in order to maximize its performance.Simple reward feedback may be required for the agent to learn whichaction is best; this is known as the reinforcement signal.

The phrase “supervised machine learning” as used herein generally refersto learning is the optimization of a prediction model to best describethe mapping from the input data to its assigned target label, with theend goal of being able to predict the target label of unknown data. Theoptimizing of the model is alternatively referred to as model fitting ormodel training.

The phrase “unsupervised machine learning” as used herein generallyrefers to a type of machine learning algorithm used to draw inferencesfrom datasets consisting of input data without labeled responses, usedfor exploratory data analysis to find hidden patterns or grouping indata.

The phrase “artificial intelligence” as used herein generally refers toa development of computer systems able to perform tasks normallyrequiring human intelligence.

The phrase “security incident and event management” (SIEM) as usedherein generally refers to real-time analysis of security alertsgenerated by applications and network hardware.

The phrase “firewall” as used herein generally refers to a networksecurity device that monitors traffic to or from your network. It allowsor blocks traffic based on a defined set of security rules.

The phrase “intrusion detection system” as used herein generally refersto a system with the purpose of detect anomalies and report securitiesthat may compromise host or networks.

The phrase “web gateway” as used herein generally refers to a node(router) in a computer network, a key stopping point for data on its wayto or from other networks. It is a data communication device thatprovides a remote network with connectivity to a host network. Webgateway allows for user-initiated web/internet traffic to enter aninternal network of an organization.

The phrase “email gateway” as used herein generally refers to a gatewayfor emails to enter an Organization's internal network

The phrase “cybersecurity landscape” as used herein generally refers toa includes but not limited to threat intelligence, file & file lessmalware, zero day, ransomware, database threats, cloud security, IoTsecurity, mobile security, and/or the like.

The phrase “metadata” as used herein generally refers to a unique datastructure used to describe other data within the system.

The phrase “audit” as used herein generally refers to a comprehensivereview of an organization's adherence to regulatory guidelines toevaluate the strength and thoroughness of compliance preparations.

The phrase “data storage” as used herein generally refers to a digitalmechanism used to stored and hold distributed and process informationbetween the nodes.

The phrase “social network” as used herein generally refers to acomputer application or software that enables personal interactionbetween people by using messages, pictures or video and share amongothers to be able to communicate with each other.

The phrase “behavior analysis” as used herein generally refers to theuse of a set of rules or algorithms to detect human behavior changes.

The phrase “client network” as used herein generally refers to theconnected network of the client, where the client host computers reside.

The phrase “client host” as used herein generally refers to a singlecomputer or system used and managed by the client, it resides within theboundaries of the client network

The phrase “TOR network” as used herein generally refers to an opennetwork believed to protect against normal internet surveillance ortraffic analysis.

The phrase “dark web (I2P)” as used herein generally refers to a part ofthe world wide web that is accessible only by using specialized softwareand part of the Invisible Internet Project (I2P).

The phrase “knowledge database” as used herein generally refers to anincremental set and structured data stored, and immutable that holdsuser and system curated and normalized information in a ready state tobe used and aggregated by the agents and system.

The phrase “node” as used herein generally refers to a notificationnode, action node, or processing node depending their predefined role.Each node acts as an independent processing unit that comprises of smartcontracts and a blockchain knowledge database. Every end point of anycomputational device/environment is a node. These end points of anycomputational device may include, but are not limited to, mobile phone,client computers, virtual machines, and/or the like.

The phrase “rule” as used herein generally defines the course of actionto be taken for a transaction or for another rule.

The phrase “rule database” as used herein generally refers to ablockchain database that stores and records all rules created.

The phrase “rule engine” as used herein generally refers to creatingand/or recording new rules in the rules database and also validatesagainst existing rules in rules database. Rule engine also includessupervised and unsupervised machine learning techniques and behavioranalysis modules that provide decision making capabilities in near realtime and to create alerts or notifications. It routes the traffic tonetwork based on validation. It is in charge of message delivery systemand can detect the type of connectivity.

The phrase “smart contract” as used herein generally refers to a pieceof dynamic lines of code. It is a computer protocol intended todigitally facilitate, verify, or enforce the negotiation or performanceof a contract. Smart contracts allow the performance of credibletransactions without third parties. These transactions are trackable andirreversible. These contracts, live within the network and within eachnode with a unique address. Every subsequent version of the contract isstored and a new hash identification is created. With it a contractversioning system is enforced.

The phrase “swarm” as used herein generally refers to a collection ofnodes. Each swarm can hold multiple roles and or functions depending ontheir role setup at its genesis. Swarms are platform independent andbuild upon the concept of resilient networks.

The phrase “swarm intelligence” as used herein generally refers to thestudy of computational systems inspired by the ‘collectiveintelligence’. Collective intelligence emerges through the cooperationof large numbers of homogeneous nodes in the environment. Examplesinclude schools of fish, flocks of birds, and colonies of ants. Suchintelligence is decentralized, self-organizing and distributedthroughout an environment. In nature, such systems are commonly used tosolve problems such as effective foraging for food, prey evading, orcolony re-location. The information is typically stored throughout theparticipating homogeneous agents, or is stored or communicated in theenvironment itself, such as through the use of pheromones in ants,dancing in bees, and proximity in fish and birds. Swarm Intelligence maybe generally useful for IT in terms of following aspects: (i) Analogiesin IT and social insects; (ii) Distributed system of interactingautonomous agents; (iii) Goals: performance optimization and robustness;(iv) Self-organized control and cooperation (decentralized); (v)Division of Labor and distributed task allocation; and (vi) Indirectinteractions. The paradigm consists of two dominant sub-fields: (i) Antcolony optimization (ACO) that investigates probabilistic algorithmsinspired by the stigmergy and foraging behavior of ants; and (ii)Particle swarm optimization (PSO) that investigates probabilisticalgorithms inspired by the flocking, schooling and herding. Likeevolutionary computation, swarm intelligence ‘algorithms’ or‘strategies’ are considered adaptive strategies and are typicallyapplied to search and optimization domains.

The phrase “security data intelligence system” (SDIS) as used hereingenerally can be implemented within a permissioned network, private orpublic available blockchain network.

The phrase “smart contract engine” as used herein generally refers toexecuting the smart contracts deployed across the network as needed.

The phrase “swarm application program interface” (API) as used hereingenerally refers to an integrator between the client and the swarm,allowing an easy interface between the user and the systems within.

The phrase “token” as used herein generally refers to a unique stringsequence that identifies an object. It is calculated by applying ahashing function to the metadata, timestamp of creation of the tokenand, if available, a payload of the object.

The phrase “transaction” as used herein generally represents a unit ofwork performed within a database management system against a database.It is independent of other transactions and generally represents anychange in a database.

The phrase “transaction database” as used herein generally refers to ablockchain database that stores and records all transactions created.

The phrase “transaction engine” as used herein generally creates and/orrecords new transactions in the transactions database and also validatesagainst existing transactions in the same.

The phrase “vault” as used herein generally refers to a Vault 365.

The phrase “web dashboard user interface” as used herein generallyrefers to administer, configure and read node, swarm or hiveinformation, is cross platform, and can be enabled at runtime. This isin the form of graphical user interface (GUI) that displays the IAE andother events. This end user environment can be used to configure alertsand other information according to the needs of the end customer.

The phrase “zero day” as used herein generally refers to an advancedcyber-attack, a previously unknown vulnerability.

The phrase “cryptocurrency” as used herein generally refers to a form ofdigital currency that are used to regulate generation of units ofcurrency to verify transfer of funds through an encrypted channel.

The phrase “reward” as used herein generally refers to cryptocurrencyissued to anonymous donors of zero day vulnerabilities. The rewardincentivizes anonymous programmers to share information onvulnerabilities not known to the public and are used by hackers orcriminal groups to exploit and attack computer systems by sending inmalware, spyware, and/or the like.

The phrase “action engine” as used herein generally refers to being incharge of executing any kind of predefined actions and interacting withthe client environment. The messages sent to client environment fromaction engine could be a trigger, an alerts, an alarms, a plurality ofnotifications, and/or the like.

The phrase “advanced persistent threats” (APT) as used herein generallyrefers to a set of stealthy and continuous computer hacking processes,often orchestrated by a person or persons targeting a specific entity.An APT usually targets either private organizations, states or both forbusiness or political motives.

The phrase “firmware” as used herein generally refers to software thatis embedded in a piece of hardware.

The phrase “sensors” as used herein generally refers to a device,module, or subsystem whose purpose is to detect events or changes in itsenvironment and send the information to other electronics, frequently acomputer processor.

The phrase “peripheral components” as used herein generally refers toany auxiliary components that helps or provides interaction to an IoTdevice.

The phrase “distributed denial of service” (DDoS) as used hereingenerally refers to an attack in which multiple compromised computersystems attack a target, such as a server, website or other networkresource, and cause a denial of service for users of the targetedresource. The flood of incoming messages, connection requests ormalformed packets to the target system forces it to slow down or evencrash and shut down, thereby denying service to legitimate users orsystems.

The phrase “Vault 365” as used herein generally refers to a client/userinterface.

The phrase “Payload” as used herein generally refers to user specificdata in a previously established format.

The phrase “Event” as used herein generally refers to a change in theeveryday operations of a network or information technology serviceindicating that a security policy may have been violated or a securitycheck may have failed. An event can be any identifiable occurrence thathas significance for system hardware, software or data.

The phrase “Attribute” as used herein generally refers to a piece ofinformation or value that determines the properties of a cyber securityevent. In this case, an attribute may be variations of payload dependingon the target.

Further, it should be appreciated that the following glossary ofmessages are incorporated herein:

M1—client environment 105 to curator engine 106 having the followingstructure: System-ID (String), System-Name (String), Date (Time String),Owner (String), Path (String), Data (Byte).

M101—curator engine to transaction engine, transaction engine to theblockchain database, the transaction engine to the rule engine, allhaving the following structure: TxID, TIMESTAMP, HASH, PREV-HASH,METADATA—M801 Digest, DATA—M1 Content.

M104—the rule engine to the action engine having the followingstructure: TXID, TIMESTAMP, HASH, PREV-HASH, METADATA, Decision Index,Decision Confidence.

M2—the rule engine to the blockchain database having the followingstructure: TxID, TIMESTAMP, HASH, PREV-HASH, METADATA, DATA, INDEX,CONFIDENCE, TYPE, Payload.

M10—the action engine to the client environment, action engine to SIEM,EMAIL, SMS, notifications and alerts, OS System Log, Rsyslog server,and/or the like all having the following structure: TxID, System Origin,System Destination, Action, Reason, Payload Data.

M809—the swarm intelligence 121 to the rule engine 108; reinforcedlearning and knowledge distribution between all the nodes in the networkhaving the following structure: TxID, Timestamp, hash, prev-hash,metadata, index, data, shown as data shared between components.

M106—Between nodes data blocks (like rows in a database) all having thefollowing structure: TxID, TIMESTAMP, HASH, PREV-HASH, METADATA, DATA,INDEX, CONFIDENCE, TYPE, Payload.

M701—curator engine to transaction engine, transaction engine to theblockchain database, the transaction engine to the rule engine, allhaving the following structure: TxID, TIMESTAMP, HASH, PREV-HASH,METADATA—M801 Digest, DATA—M1 Content.

M702—Json struct, threat_id string, Threat TYPE stringm files [ ]string,urls [ ]string.

M703—Json Structm cartegorym file, machine: null, errors: [ ], target:/tmp/malware. Exe, package: null, sample_id: 1, guest { }, custom: null,owner: priorty: 1, platform: null, options: null, status: pending,enforce_timeout: false timeout: 0, memory: false, tags: 32 bit,acrobat_6.

M801—register new device to transaction engine 107 having the followingstructure: DeviceID, GPS coordinates, ROM ID, OS VERSION ID, Devicename, date (time), data.

M802—event to transaction engine 107 having the following structure:DevicelD, ROM ID, OS VERSION ID, Device—name, date (time), data.eventID, eventType.

With reference now to FIG. 1, a decentralized platform for connectingmembers of the swarm intelligence community using a ledger system storedon a plurality of nodes, which is also referred to herein as a computersystem, is illustrated in FIG. 1. The computer system, generallydesignated 10, includes, but is not limited to, a computer network 15that is generally configured to electronically connect one or moreserver computing devices 20, one or more user computing devices 25,and/or one or more personal electronic devices 30 (e.g., one or moretablet computing devices 35 and/or one or more mobile devices 40).

The computer network 15 may include any network now known or laterdeveloped, including, but not limited to, a wide area network (WAN),such as the Internet, a local area network (LAN), a mobilecommunications network, a public service telephone network (PSTN), apersonal area network (PAN), a metropolitan area network (MAN), avirtual private network (VPN), or any combination thereof.

The one or more server computing devices 20 may receive electronic dataand/or the like from one or more sources (e.g., the one or more usercomputing devices 25), create an initial genesis block in adecentralized ledger, map a decentralized ledger to one or moreauthentication tokens, mapping references in a decentralized ledger todocuments, storing files referenced in decentralized ledgers, storingmetadata relating to the files referenced in decentralized ledgers,communicating with one or more databases, and/or the like. In someembodiments, the one or more server computing devices 20 may function asblockchain management devices. Accordingly, in some embodiments, the oneor more server computing devices 20 may control a right or an ability toenter an additional block in the blockchain, as described in greaterdetail herein.

The decentralized ledger may be transmitted over the computer network 15to other nodes, including, but not limited to other ones of the one ormore server computing devices 20, the one or more user computing devices25, and/or the one or more personal electronic devices 30. In someembodiments, the computer system 10 is decentralized in a manner suchthat entire copies of a ledger are stored on multiple nodes. In someembodiments, the ledger may be split up such that portions thereof arestored on different nodes and no single node contains the entire ledger.

The one or more user computing devices 25 may generally provide aninterface between a user and the other components connected to thecomputer network 15, including other users and/or other user computingdevices. Thus, the user computing device 25 may be used to perform oneor more user-facing functions, such as receiving one or more inputs froma user or providing information to the user. Additionally, in the eventthat the one or more server computing devices 20 require oversight,updating, or correction, the one or more user computing devices 25 maybe configured to provide the desired oversight, updating, and/orcorrection. The one or more user computing devices 25 may also be usedto input additional data into a data storage portion of the one or moreserver computer devices 20. The one or more user computing devices 25may also be used as nodes for the purposes of storing and/or updating atleast a portion of a blockchain ledger, as described in greater detailherein.

The one or more personal electronic devices 30, including the one ormore tablet computing devices 35 and/or the one or more mobile devices40 are generally electronic devices that provide an interface between auser and the other components connected to the computer network 15,similar to the one or more user computing devices 25. Thus the one ormore personal electronic devices 30 may be used to perform one or moreuser-facing functions, such as receiving one or more user inputs,alerts, notifications that provide information to a user, and/or thelike. The one or more personal electronic devices 30 may also be used toinput data into a data storage portion of the one or more servercomputer devices 20. The one or more personal electronic devices 30 mayalso be used as nodes for the purposes of storing and/or updating atleast a portion of a blockchain ledger, as described in greater detailherein.

It should be understood that while the one or more user computingdevices 25 are depicted as personal computers, the server computingdevices 20 are depicted as servers, and the one or more personalelectronic devices 30 are depicted as tablet computing devices 35 and/ormobile devices 40, these are nonlimiting examples. More specifically, insome embodiments, any type of computing device (e.g., mobile device,tablet computing device, personal computer, server, etc.) may be usedfor any of these components. Additionally, while each of these computingdevices is illustrated in FIG. 1 as a single piece of hardware, this isalso merely an example. More specifically, each of the one or more usercomputing devices 25, the one or more server computing devices 20, andthe one or more personal electronic devices 35, 40 may represent aplurality of computers, servers, databases, components, and/or the like.

FIG. 2 schematically depicts an overview diagram of a system 100 of thenetwork 15 having a swarm intelligence 121 for detecting and deterringmalware threats in a blockchain environment. The system 100 generallyincludes four layers: an application layer 101, a decision layer 102, astorage layer 103 and a network layer 104.

As an overview, the application layer 101 is communicatively coupled tothe decision layer 102, the decision layer 102 is communicativelycoupled to both the storage layer 103 and the application layer 101. Thestorage layer 103 is also communicatively coupled to the network layer104. The application layer 101 comprises a plurality of input data 110,an action engine 109, a client user interface (UI) 114, and a pluralityof client databases 115, as discussed in greater detail herein. As usedherein, the term “application layer 101” may be synonymous orinterchangeable with the term “client environment 105” such that aclient environment 105 includes the plurality of input data 110, theaction engine 109, the client user interface (UI) 114, and the pluralityof client databases 115, as discussed in greater detail herein. Thedecision layer 102 includes a transaction engine 107 and a rule engine108, as discussed in greater detail herein. The storage layer 103 is ablockchain database 103 having a plurality of blocks data 103 a, 103 b,103 c, each block having a header 103 d, 103 e, 103 f respectively. Itshould be appreciated that the headers 103 d, 103 e, 103 f are a type ofblock address. It should also be appreciated that the plurality ofblocks data 103 a, 103 b, 103 c, and the corresponding headers 103 d,103 e, 103 f are dynamic and as the blockchain database 103 stores moredata, more blocks with headers are added. Further, it should beappreciated that the terms “storage layer 103” and “blockchain database103” are used interchangeably and thus generally may refer to the samestructure. The network layer 104 comprises a group of nodes 111,illustrated as a client reporter node 111 a, a second node 111 b, and aninfinite number of nodes 111 c that together are in communication withone another so to for a swarm 112, as discussed in greater detailherein. Further, the network layer 104 connects the swarm 112 to theother layers (i.e. the application layer 101, the decision layer 102,and/or the storage layer 103) so to form a swarm intelligence 121.

The application layer 101 may generally be where a client interacts withthe system 100 through a client environment 105. It should beappreciated that the client environment 105 is not limited to thedevices in FIG. 1 such as desktops, servers, tablets, phones, sensorssuch as internet of things and/or the like. As such, input data 110 thatenters the system 100 may be, for example, data from the clientenvironment 105 that may include a system logs data 202 (FIG. 3), amalware data 204 (FIG. 3), a IoT data 206 (FIG. 3), a SIEM data 208(FIG. 3) and/or the like. Further, because the client environment is notlimited to desktops, servers, tablets, phones, sensors such as Internetof things and/or the like, the input data 110 to the client environment105 is not limited to text files, text messages, video files, imagefiles, and/or the like.

Input data 110 that enters the system 100 is curated by the curatorengine 106 and then passed to the decision layer 102. A decision is madein the decision layer 102 and the decision is returned to the clientenvironment 105. The action engine 109 acts on the decision and may senda signal, an alert, an alarm, a notification, and/or the like to theclient UI 114. The client UI 114 may display the results such as thealerts, the notifications, and/or the like about a particular attack ordetection of malware, and/or the like on a user interface dashboard,which may be included in the client environment 105. It should beappreciated that the client environment 105 may also be an endpointsystem including, but not limited to, the server computing devices 20(FIG. 1), the user computing devices 25 (FIG. 1), and the personalelectronic devices 30 (FIG. 1)

The decision layer 102 may be where the data is processed and decisionsare made based on content, rule setting and interactions with the clientenvironment 105. As such, it should be appreciated that the decisionlayer 102 is configured to use artificial intelligence (AI), behavioranalysis, other rule engines, and/or the like that will determine theresult of a particular action being performed in the system 100.

The blockchain database 103 may be generally known as being extremelydistributed, easy accessible, permission based, ordered and secure. Theblockchain database 103 may be configured as long term memory for thedecision layer 102. As such, all rules and transactions are recordedinto the blockchain database 103. Every block 103 a, 103 b, 103 c andrespective header 103 d, 103 e, 103 f contains the pertinent smartcontract triggers that helps to identify the type of data, the directionof the data and the triggers to execute within it.

The network layer 104 is configured to interconnect the differentcomponents (i.e. the server computing device 20, the user computingdevice 25, the personal electronic device 30, and/or the like), and isresponsible for sharing the data between peers. It should be appreciatedthat each node of the group of nodes 111 may be the server computingdevice 20 (FIG. 1), the user computing device 25 (FIG. 1), the personalelectronic device 30 (FIG. 1), and/or the like. It should be appreciatedthat each node within the group of nodes 111 commutatively coupled, suchas those in FIG. 1, are hereinafter referred to as a swarm 112.

As such, it should be appreciated that data coming from the clientenvironment 105 is distributed among each node within the group of nodes111. Each individual node, such as the client reporter node 111 a, thesecond node 111 b, and nodes 111 c may generally consists of smartcontract 305 (FIG. 4) and a copy of the blockchain database 103. Itshould be appreciated that each node of the group of nodes 111 areplatform independent and multilanguage, not enforced as long that cancommunicate using TCP/IP and UDP/IP stack. Further, each node of thegroup of nodes have the capacity and capability to react to multipleactions at the same time, included but not limited to a notification ofan events via e-mail, SMS, Syslog, UDP connection, TCP connection, WebNotification, JSON message, and/or the like. Further, administrationevents, such as firewall configuration, IDS rule writing, shutdown andreconfiguration of devices is contemplated.

FIG. 3 schematically depicts a component diagram of the interaction ofthe overview of the system 100 of FIG. 2. The input data 110 (i.e. thesystem logs data 202, the malware data 204, the rules database 205, theIoT data 206, the SIEM data 208) of the application layer 101 arecommunicatively coupled to the curator engine 106 of the applicationlayer 101. The curator engine 106 may be configured to process andtransform the input data 110 to a structure readable by othercomponents, such as the transaction engine 107. For example, the curatorengine 106 may be configured to transform the input data 110 into avalid message payload having a header M101.

Still referring to FIG. 3, the curator engine 106 is communicativelycoupled to the transaction engine 107 of the decision layer 102. Theblockchain database 103 is communicatively coupled to the transactionengine 107, to the swarm intelligence 121 and to a rule engine 108. Assuch every transaction is logged in the network layer 104 (FIG. 2) andrecorded in the blockchain database 103 as transactions with a generatedunique transaction identifier M103. It should be appreciated that theunique transaction identifier M103 may also contain other relevant data.Further, it should be appreciated that the rule engine 108 outputs adecision transaction M2 to the blockchain database 103 so that everydecision and transaction is recorded within the blockchain database 103such that all knowledge is shared and validated through the swarmintelligence 121 by all peer members, including a plurality ofresearchers.

The transaction engine 107 may also be responsible for evaluating thevalid message payload having a header M101. For example, within thetransaction engine 107, the valid message payload having a header M101may be evaluated for IOC's, IOE's and/or vectors of attack as describedin FIG. 13 below. As such, information and events (IAE) may be dividedinto indicators of compromise (IOC), indicators of attack (IOA),indicators of activity (IOV), and powered by indicators of usage (IOU).Each indicator may be ranked depending on the approval rating ofresearchers when evaluating possible vectors of attack. That is, if avector has enough validation of approval from its peers or researchers,the indicator becomes a comprise vector and is logged in the networklayer 104 (FIG. 2). As such, data is constantly analyzed in iterations.For example, something that is not a threat initially may become athreat vector in the next iteration. As such, the logging of thecomprise vector orders the client reporter node 111 a (FIG. 4) toexecute the appropriate smart contract enabled transactions with theuser define action. It should be appreciated that the client reporternode 111 a (FIG. 4) may be any node of the group of nodes 111 and/or anynode with the swarm 112 (FIG. 4) in which the transaction engine 107 islocated or any other node communicatively coupled to the swarmintelligence 121. The vectors and indicators are validated, logged inthe network layer 104 (FIG. 2), and recorded in the blockchain database103, as discussed in greater detail herein.

Still referring to FIG. 3, the rule engine 108 may be configured to scanthe blockchain database 103 and analyze the transaction M2 so to make adecision with regards to the transaction M2 such as whether to transformthe transaction, analyze the transaction, save the transaction, and/orthe like, based a predetermined set of rules. The predetermined set ofrules may be stored in the blockchain database 103 and may be modified,amended, and/or the like by the swarm intelligence 121. The rule engine108 outputs a decision signal M104 to the both the blockchain database103 and an action engine 109, which is communicatively coupled to therule engine 108. As such, all rule engine 108 decision signals M104 arerecorded in the blockchain database 103 so to be shared to the swarmintelligence 121. The action engine 109 may be configured to execute thedecision signal M104 as well as to make a decision on whether togenerate a plurality of alerts M10 to the client environment 105 andspecifically to the client UI 114.

Now referring to FIG. 4, a component diagram 300 of the swarmintelligence 121 of FIG. 2 is depicted. The swarm 112 is configured toshare information, ordered and securely between the group of nodes 111.Each node, illustrated, without limitation, as the client reporter node111 a further includes a representation of the blockchain database 103communicatively coupled to a smart contract 305.

The client reporter node 111 a processes the data, as described herein,and the node is communicatively coupled to the client environment 105 asdescribed herein. As such, the node may input the input data 110 fromthe client environment 105 and output the decision signal M104 to theaction engine 109 of the client environment 105, as described in greaterdetail above.

Still referring to FIG. 4, it should be appreciated that while theclient reporter node 111 a is described as the only node in the swarm112 communicatively coupled to the client environment 105 of theapplication layer 101, any of the group of nodes 111 and/or of the swarm112 may be communicatively coupled to the client environment 105 and/orto the swarm 112. As such, the swarm 112 may include only the clientreporter node 111 a communicatively coupled to the client environment105 or more than the client reporter nodes may be communicativelycoupled to the client environment 105. Therefore, every node does nothave to be communicatively coupled to the input data 110 such that theother nodes may be configured to also perform other roles or swarmfunctions such as a processing, storage, routing, relaying, and/or thelike.

That is, each of the nodes will have its own individual behavior andwill perform in a way it will benefit the entire group. This is similarto nature inspired ants, bees, and/or the like that behave individually,but with a collective mentality. The group of nodes 111 may bedistributed across the network layer 104 (FIG. 2). As such, each nodewithin the swarm 112 may be a permissioned node and may be excluded fromthe swarm 112 at any time. The network layer 104, in case of compromiseof the node, may isolate or shutdown the node and its controlledmechanism to avoid further damage or compromise. Further, the swarm 112may contain, without limitation, an infinite number of nodes, such asthe group of nodes 111 illustrated as including the client reporter node111 a, the second node 111 b, and nodes 111 c, 111 d, 111 e, and 111 f.

FIG. 5 schematically depicts a component diagram of an interactionbetween the client reporter node 111 a, the second node 111 b, and thenodes 111 c of the swarm 112 of FIG. 4. The client reporter node 111 a,the second node 111 b, and nodes 111 c are communicatively coupled toone another via the network layer 104. As shown, the client reporternode 111 a, the second node 111 b, and nodes 111 c are in communicationwith a message exchange 402, such as communication M106 between nodesdata blocks 103 a, 103 b, 103 c and the smart contract 305 (FIG. 4) thatmay enforce the logic and rules. Further, each node of the group ofnodes 111 is in communication with the blockchain database 103 (FIG. 3).Communication between the client reporter node 111 a, the second node111 b, and nodes 111 c is in the form of data blocks M106, in which eachdata block has the required structure to carry, transmit, and/or thelike the message between the client reporter node 111 a, the second node111 b, and nodes 111 c and between the smart contract 305, the messageexchange 402, the blockchain database 103 (FIG. 3), and/or the networklayer 104.

FIG. 6 schematically depicts a component diagram of a swarm deployment500. A third party data 501, a dark web data 504, a social network data505 and an open sources data 506 are communicatively coupled to a dataaggregator 502. The data aggregator 502 may also contain orcommunicatively couple to the curator engine 106. The data aggregator502 is communicatively coupled to the swarm intelligence 121. Asdiscussed above, the swarm intelligence 121 is communicatively coupledto the group of nodes 111, the transaction engines 107, the rule engines108, and/or the blockchain database 103. The swarm intelligence 121 iscommunicatively coupled the client environment by a swarm API 508.Regardless of the data source (i.e. the third party data 501, the darkweb data 504, the social network data 505, and/or the open sources data506) the swarm deployment 500 ensures that the data is aggregated,curated, and transferred to the swarm intelligence 121 for analysis. Theanalysis in the swarm intelligence 121 may be subject to unsupervised orsupervised machine learning. The data and/or the machine learning,whether supervised or unsupervised, may be stored in the blockchaindatabase 103. Further, it should be appreciated that machine learning,whether supervised or unsupervised, may occur in the swarm intelligence121 and the result be transferred to the client environment via theswarm API 508.

For example, in some embodiments, the dark web data 504 or deep web datamay be fed into the data aggregator 502 where curator engine 106 willprocess the data in a way can be used as input to the group of nodes 111within the swarm intelligence 121. Example dark web data may be “darknets” including TOR and Invisible Internet Project (I2P), which bothgenerally serve as an attractive source for cyber criminals to hoststolen credit card data, newest forms of malware, zero day exploits,stolen social security numbers, and/or the like. The group of nodes 111within the swarm intelligence 121 may be configured to scan the deep ordark web data 504 so to gather information to protect and predict anattack along with being able to be used to scan for stolen informationor gather intelligence on zero day vulnerabilities. As such, asdiscussed in greater detail above, the alert M10 may be generated fromthe data gathered and/or authenticated by the swarm intelligence 121,passed though the swarm API 508, to the client environment 105 so toprovide alerts, notifications, and/or the like to the client environment105 via the client UI 114.

It should be appreciated that the open sources data 506 and the thirdparty data 501 may be predetermined as to which ones and/or the datasearched based on agreements in place dictating which open source data(i.e. common vulnerabilities and exposures (CVE), national vulnerabilitydatabase (NVD), and/or the like) are scanned. As such, the third partydata 501 and the open sources data 506 may require specific connectorsto communicatively couple the data source to the data aggregator 502.

With reference now to FIG. 7, a component diagram of a malware analysisplatform 700 will now be described. The client environment 105communicatively coupled to the curator engine 106 of the applicationlayer 101. The curator engine 106 is communicatively coupled to thetransaction engine. As such, the curator engine 106 may be configured toprocess and transform the input data 110 to a structure readable byother components, such as the transaction engine 107. For example, thecurator engine 106 may be configured to transform the input data 110from a data file X into a valid message payload having a header. Thecurator engine 106 is communicatively coupled to the transaction engine107. The blockchain database 103 is communicatively coupled to the swarmintelligence 121 and to the rule engine 108. As such, every transactionis logged in the network layer 104 (FIG. 2) and recorded in theblockchain database 103 as transactions with a generated uniquetransaction identifier M103. It should be appreciated that the uniquetransaction identifier M103 may also contain other relevant data.Further, it should be appreciated that the rule engine 108 outputs thedecision transaction M2 to the blockchain database 103 so that everydecision and transaction is recorded within the blockchain database 103,as described in greater detail herein.

In this embodiment, the rule engine 108 is communicatively coupled tocurator engine 106 and to the action engine 109. The action engine 109is communicatively coupled to the client UI 114 such that, if a malwareis detected 708, as described herein, the rule engine 108 may transmitthe decision signals M104 to the action engine 109, which in turn maytransmit the plurality of alerts M10 to the client environment 105 andspecifically to the client UI 114.

Still referring to FIG. 7, the curator engine 106 is communicativelycoupled to an external malware analysis engine 702 such that the validmessage payload having a header M101 may be converted into a data fileM701, such as a hash file, so that the external malware analysis engine702 may interpret the data file M701. The external malware analysisengine 702 is communicatively coupled to the data aggregator 502, whichin turn is communicatively coupled to the curator engine 106.

Still referring to FIG. 7, the external malware analysis engine 702comprises a map behavior file engine 704 and a map client engine 706.The map behavior file engine 704 and the map client engine 706 of theexternal malware analysis engine 702 are configured to detect unknownvulnerabilities using dynamic behavior analysis. It should beappreciated that the map behavior file engine 704 may be a map file hashof the file and the map client engine 706 may be a map client hash ofthe file. The unknown vulnerabilities include, but are not limited tozero day threats, ransomware, and/or the like related to the behavioralanalysis of the malware. The external malware analysis engine 702outputs an analysis M702, which is aggregated by the data aggregator 502and then curated, by the curator engine 106, into a file format M703,which is in a structure readable by other components, such as thetransaction engine 107. The file format M703 now continues through thesame loop of creating another transaction in the blockchain database103. As such, the rule engine 108 evaluates the behavior from the newtransaction (i.e., different transaction ID) and uses the analysis fromthe map behavior file engine 704 to validate the transaction againstpast behavior models so to decide whether new transaction is malware. Ifthe rule engine 108 determines that the new transaction is malware, asillustrated by the dotted line 710 in FIG. 7, the data file is rejectedat malware decision 708 and the action engine 109 may alert the clientUI 114 as described above. On the other hand, if the rule engine 108determines that there is not malware in the new transaction, then thedata file is allowed to continue to the client environment 105 atmalware decision 708 as indicated by the dotted line 712. It should beappreciated that all behavior analysis is recorded in the blockchaindatabase 103, indicated by dotted line 714, such that the swarm 112 andthe swarm intelligence 121 will have immediate access to thedetermination of whether malware is or is not present as shown by theconnection line 716.

In some embodiments, the rule engine 108 behavioral models may include,but are not limited to patterns in Windows operating system such asaudit logs, event tracing, kernel drivers and/or the like, which are notdirectly related to a malware sample. Each of these logs may be mappedto a smart contract and the behavior of these patterns may be analyzedby combining the smart contract with machine learning so to, forexample, detect ransomware. In other embodiments, behavior models mayinclude, but are not limited to anomalies in human user behavior data,which is not related to the devices that are inferred using statisticalanalysis leading, such as, without limitation potential insider threats,theft of internal data, and/or the like. In yet other embodiments, themalware analysis platform 700 may be used to detect zero dayvulnerabilities, which may be some of the largest threats that come fromvulnerabilities that have not yet been discovered, named, or added tothe catalog of known patterns. For example, WannaCry ransomware thatrecently created havoc exploited the SMBv1 vulnerability that existedunnoticed for 16 years, and flew under the radar of most securityproducts until massive damage was done, may have been detected by themalware analysis platform 700, as discussed herein.

FIG. 8 schematically depicts a component diagram of an internet ofthings processing platform 800. The processing platform 800 comprises anew device registration 801 and a new device event detection 802, whichare both communicatively coupled to the curator engine 106 and then tothe transaction engine 107. The new device registration 801 may beconfigured to register the IoT devices (i.e. the server computingdevices 20, the user computing devices 25, the tablet computing devices35, the mobile devices 40, and/or the like of FIG. 1) to the system 100with a unique identifier 205 (FIG. 3) as the input data 110 (FIG. 3)such that once registered the data is analyzed using the structure asdescribed above in FIG. 3. The new device event detection 802 may beconfigured to detect device events such as changes in a plurality ofsensors, which may relate to temperature or pressure. This data may beanalyzed using the structure as described above in FIG. 3. It should beappreciated that each device (i.e. the server computing devices 20, theuser computing devices 25, the tablet computing devices 35, the mobiledevices 40, and/or the like of FIG. 1) may have a unique registrationnumber and/or unique event detection capabilities and/or signatures.

Still referring to FIG. 8, the transaction engine 107 may be configuredto determine what data can be collected from the IoT devices (i.e. theserver computing devices 20, the user computing devices 25, the tabletcomputing devices 35, the mobile devices 40, and/or the like of FIG. 1).It should be appreciated that every device registration generates asignature M801 and the signature M801 is validated to detect compromiseddevices. The unique signature M801 is saved to the blockchain database103 for firmware and code in the IoT device, in which the transaction M2is sent to the rule engine 108, the rule engine outputs the decisionsignals M104 to the action engine 109, in which the action engine 109outputs the plurality of alerts M10 to the client environment 105, asdescribed in greater detail with reference to FIG. 3. It should beappreciated that the unique signature being saved in the blockchaindatabase 103 is then also available to the swarm intelligence 121 toanalyze the firmware and the code in the IoT devices. As such, thisanalysis assists the IoT devices with the enabled capabilities,shielding and enforcing continuous working order.

Now referring to FIG. 9, a component diagram of a privacy policyregulation enforcement system 900 is depicted. The system includes theclient UI 114, the client environment 105, and the swarm intelligence121. The client environment 105 has the plurality of client databases115, a plurality of client applications 903, the curator engine 106, andthe action engine 109. The plurality of client applications 903 includesa new user register 901 and a new user event 902. The plurality ofclient applications 903 is communicatively coupled to the plurality ofclient databases 115. The curator engine 106 is communicatively coupledto both the client environment 105 and the plurality of client databases115. The swarm intelligence 121 includes the transaction engine 107, theblockchain database 103, and the rule engine 108 as described in greaterdetail herein. The swarm intelligence 121 is communicatively coupled tothe client environment 105. The transaction engine 107 iscommunicatively coupled to the curator engine 106 and to the blockchaindatabase 103. The blockchain database 103 is communicatively coupled tothe rule engine 108. The rule engine 108 is communicatively coupled tothe action engine 109. The action engine 109 is communicatively coupledto the client UI 114. The system 900 is configured to execute andenforce a plurality of data traceability from an integrated systemacross a browser, a session, a webserver, or the plurality of firstdatabases configured with a personal identifiable information byindexing the personal identifiable information from a genesis block suchthat a user is permitted to log, delete or encrypt the personalidentifiable information according with current and future policy laws.

As such, third party application that is capable of interacting with thecurator engines 106, the action engine 109 and/or the like so to log andtrace any data within a computer system can be used. By leveraging thisdegree of control and logging, is possible to give absolute ownership ofthe user data back to the user itself, by showing and logging everyinteraction within the system 900 that is hosting the application or webpage being used. Any kind of information being stored into the hostdatabase, for example the blockchain database 103, web server, clientenvironment 105 and/or the like can be traced and logged within apermissioned blockchain database.

Still referring to FIG. 9, it should be appreciated that privacy policyregulation may be a General Data Protection Regulation (GDPR)enforcement. That is, by executing and enforcing data traceabilityacross browsers, sessions, web servers, databases with PersonalIdentifiable Information (PII), logs and any other system capable ofbeing integrated may be included in the system 900. By indexing PII fromits genesis, it is possible to referencing their location, storagemedia, and size, ensuring all locations and media to be accessible tothe user, allowing deletion and encryption checks according with currentand future policy laws.

Now referring to FIG. 10, a schematic illustration of the user interface1000 is depicted. As discussed herein, any and all vulnerabilities,security threats, and/or the like are monitored from the user interface1000. As such, the user interface 1000 may be a potential and a visualconstruct of the underlying data structures such that the user interface1000 may be a visual construct that makes possible the visualrepresentation of malware threat analytics within the client environment105, showing the potential threat index over time, and overview ofsummarizing risks and agents of the client being engaged at any giventime. The user interface 1000 may display a plurality significant eventsoccurring within the swarm 112 and provides the client the completegraphical view of the events, categories, event types, distribution,and/or the like. Therefore, the overall threats identified, malwareidentified, threats that are coming from a network or network scansidentified are displayed.

As such, the user interface 1000 may display a threat analyticsgraphical representation 1005, permit a unified threat management 1010,and permit a threat response 1015. The threat analytics graphicalrepresentation 1005 may graphical represent different threat metricsidentified for a time period for malware, network scans, incidents, IOA,IOE, corresponding Agents, and/or the like. The unified threatmanagement 1010 may permit a CSO/user to configure data sources for logfiles, to set up deceptive honeypots, crawlers, and/or the like aspreventive measures. The threat response 1015 may permit a CSO/user toconfigure alerts, roles, response mechanisms for threats detected.And/or the like. It should be appreciated that the user interface 1000is not limited to this data structures and/or the visual constructsherein.

The origins and path of a threat can be traced from the user interface1000. A swarm 112 under attack may be seen from the user interface 1000.The user interface 1000 may display a bird's eye view of the swarm 112and events within the swarm 112. The group of nodes 111 within the swarm112 may be displayed. A user may be able to drill down for any selectedor particular node within the group of nodes 111. The events are viablepayloads that can be transferred between each node of the group of nodes111. The transfer of events information as payloads between each node ofthe group of nodes 111 within the blockchain database 103 may also beseen from the user interface 1000. Further, the user interface 1000 mayalso provide clients with customization capabilities for the alerts,triggers, incident response and notifications, and/or the like. Anoverview of the threats 1020 is provided on the user interface 1000. Assuch, the user interface 1000 offers threat management, different kindsof threat analytics 1025 and the ability to configure threat responseamongst others. Data sources can be configured using the user interface1000. Honeypots and crawlers may be configured for deception and todeflect threats and intruders.

Now referring to FIG. 11 where a flow diagram depicting an illustrativemethod of researching and reporting cyber threats 1100 will now bedescribed. It should be appreciated that that the method of researchingand reporting cyber threats 1100 starts with a researcher, at block1101, searching for a plurality of security or vulnerability threats, atblock 1105. If a researcher does not find the plurality of security orvulnerability threats, at block 1105, the researcher continues searchingat block 1101. If the researcher discovers at least one of the pluralityof security or vulnerability threats, at block 1105, the researcher mayanonymously upload and/or submit the plurality of security orvulnerability threats, at block 1110, where the submission is recordedin the blockchain database 103, at block 1115. Once recorded, the atleast one of the plurality of security or vulnerability threats istransmitted to the network 15 (FIG. 2) so that there may be publicresearch to discover the security or vulnerabilities threats, at block1120, such that the at least one of the plurality of security orvulnerability threats is available for a peer review, at block 1125.

A score is assigned to the at least one of the plurality of security orvulnerability threats based on the peer reviews, at block 1130, and areward is generated based on the score, at block 1135, such that theresearcher receives the reward, at block 1101, and both the scores andthe rewards are recorded in the blockchain database 103 at block 1115.It should be appreciated that rewards may be used in an ICO. Further,the rewards may be issued within the system by a proof of work mechanismsuch as, without limitation, cryptocurrencies including Bitcoin,Ethereum, and/or the like. Moreover, it should be appreciated that thepeer review may be a plurality of external individuals, a plurality ofresearchers, a plurality of machines having supervised and/orunsupervised machine learning and configured to provide legitimateintelligence, computational validation and/or the like. As such, theplurality of external individuals, the plurality of researchers, theplurality of machines and/or the like may be rewarded through a validand fair mechanism such as, without limitation, cryptocurrenciesincluding Bitcoin, Ethereum, and/or the like.

Now referring to FIG. 12 where a flow diagram depicting an illustrativemethod of a system start-up process 1200 is depicted. The system 1200 isbooted, at block 1205. When the system is booted, a genesis block iscreated, at block 1210. The genesis block may be configured to generatethe IDs and hashes for all other connected nodes of the group of nodes111, the transaction engines 107, the curator engines 106, the ruleengines 108, the blockchain databases 103, and/or the like such thatwhen data enters the nodes 111, a smart contract engine (not shown) maygenerate the smart contract 305 having the header which consists oftimestamp, data, hash, previous hash and respective ID. The header,along with the valid message payload having a header M101 may betransferred to the group of nodes 111 at lightning speed. As such, fromthe onset, or an initial state, datasets from data vectors and datastructures are pushed to the blockchain based system 100, at block 1215.Metadata (digital representations of the assets) for all structures suchas firewalls, servers, database system, and/or the like is created, atblock 1220. At block 1225, a plurality of rules are established and, atblock 1230, a connection with the network layer 104 is established suchthat there is communication between the swarm 112 and/or the swarmintelligence 121. Therefore, the plurality of rules are constantly beingvalidated and created, illustrated at line 1227. The transaction engine107 collects the metadata from the network layer 104, at block 1235, andsends the collected metadata from the network layer 104 to the metadataat block 1220 illustrated by line 1237, and writes to the blockchaindatabase 103, at block 1240. It should be appreciated that this process1200 is continuous and the system is not waiting for analysis from acentralized source for generating any alert as every node is equallymatured to detect and respond to attacks.

FIG. 13 depicts an example flow diagram of an illustrative method 1300of data flow and processing data to determine whether an incident ofcomprise has occurred. The curator engine 106 begins at block 1301 totransfer the valid message payload having a header M101 into the system200 (FIG. 3) such that any IOC's, IOE's, IOA's, and/or the like may beclassified at block 1305. The classified IOC's, IOE's, IOA's are thendetermined as to whether the IOC's, IOE's, IOA's exists in theblockchain database 103, at block 1310. If the IOC's, IOE's, IOA's donot exist in the blockchain database 103 at block 1310, then the IOC's,IOE's, IOA's are created at block 1315, deployed on the network layer104 at block 1320 so to have a validate rank in the network at block1325 as well as concurrently saving the IOC's. IOE's, IOA's in theblockchain database 103 at block 1330. On the other hand, if the IOC's.IOE's, IOA's exist in the blockchain database 103 then the IOC's, IOE's,IOA's may be validate rank in the network at block 1325. It should beappreciated that the validation, ranking, and/or the like in the networkmay be by a plurality of researchers, a plurality of individuals, anautomated analysis such as unsupervised or supervised machine learning,a network consensus from the client environment, and/or the like.

With the validation, rank, and/or the like of the IOC's, IOE's, IOA'scompleted, the validation, rank, and/or the like are saved to theblockchain database 103 at block 1330. The rule engine 108 analyzes thesaved IOC's, IOE's, and IOA's, the validation, the rank, and/or the likefrom the blockchain database 103 at block 1335 so to determine whataction, if any is needed by the action engine 109 at block 1340.

It should be appreciated that the smart contract engine (not shown) maybe configured to processes the smart contracts 305, generally known as apiece of dynamic lines of code. Smart contracts are a computer protocolintended to digitally facilitate, verify, or enforce the negotiation orperformance of a contract. Smart contracts allow the performance ofcredible transactions without third parties. These transactions aretrackable and irreversible and live within the network layer 104 (FIG.2) and within each node, such as without limitation, the client reporternode 111 a, the second node 111 b, and the nodes 111 c, 111 d, 111 e,111 f with a unique address. Every subsequent version of the contract isstored and a new hash id is created. With it a contract versioningsystem is enforced. Smart contracts are deployed within the network, soall behavioral analysis can be validated, evaluated by all peer members.In one embodiment, behavioral information include but not limited topatterns in Windows operating system such as audit logs, event tracing,filesystem changes, kernel drivers modification, memory corruption,buffer overflow, and/or the like that are not directly related to amalware sample. Each of these logs can be mapped to a smart contract andthe behavior of these can be analyzed by combining the smart contractwith machine learning for example to detect ransomware. In anotherembodiment Behavior analysis include but not limited to human behaviorthat falls outside the pattern and creates anomalies that indicateillegitimate actions

In some embodiments, a computer program capable of detectingvulnerabilities and anomalies in a computational environment isdisclosed by using a distributed approach to intelligence and machinelearning implementations. As such, a block chain environment as adistributed knowledge database may be used. Vulnerabilities andanomalies existing in a cybersecurity landscape may be detected. Theinput to such systems includes threat data, such as security informationand event management (SIEM), firewalls and unified threat managementsystems, intrusion detection and prevention, secure web gateways, secureemail gateways, endpoint protection, web application protection,distributed denial of service, vulnerability management, securityorchestration, and/or the like. The vulnerabilities and anomalies in anycybersecurity landscape include, but are not limited to zero day,malware, ransomware, persistent threats, and/or the like. It should beunderstood that machine learning implementation includes both supervisedand unsupervised learning. Further, swarm implementation includes, butis not limited to, particle swarm optimization techniques. Further yet,this method may generate a unique digital representation of the targetcomputer environment and categorize server metadata, including but notlimited to ports, current system configuration, operating system,current user usage and permissions, access levels, network configurationand connectivity, services and active services. By auditing specificportions of the databases and services, executing predefined queries andstoring the results in an immutable blockchain database and distributedamong trusted agents, key. changes may be identified by administratorsand users alike to the configuration that could affect usability,overall system integrity and or comprised of information. As such,detected vulnerabilities and anomalies reported include, but are notlimited to alerts and notifications on a user accessible interface (UI)for further action.

Another embodiment envisioned is a method to analyze, detectvulnerabilities and anomalies on Internet of Things (IoT) enableddevices, computer environments and related components by generating aunique digital representation of the target device and or environmentand categorize server metadata, including but not limited to ports,current system configuration, operating system, current user usage andpermissions, access levels, network configuration and connectivity,services and active services, interconnected components. By auditingspecific portions of the datasets and services, executing predefinedqueries and storing the results in an immutable blockchain database anddistributed among trusted agents. As such, key changes may be identifiedby administrators and users alike and such that identification of aconfiguration that may affect usability, overall system integrity and orcomprised of information. Related components include, but are notlimited to, memory storage devices and endpoint sensor components. Thismethod may include the capabilities for analyzing and validating databetween the agents, allowing data particle swarm optimization analysismethodology and/or the like to take place. By leveraging such data andfiltering it with supervised and unsupervised machine learningtechniques the system can learn and detect anomalies, malfunctioningdevices, and insecure components. Such anomalies include cyber securitythreats, incidents that can affect usability, overall system integrity,and or comprised information. Such computer environment includes but notlimited to, firmware of devices, drivers of sensors and peripheralcomponents to the IoT devices and human machine interface. Such detectedvulnerabilities and anomalies reported include, but not limited toalerts, notifications on a user accessible interface (UI) for furtheraction.

Another embodiment contemplated is a method to generate auditable,compliant and immutable data of a computer environment by using adistributed approach to intelligence and machine learningimplementations. Such a method includes using a block chain environmentas a distributed knowledge database. The input to such a system includesthreat data, such as security information and event management (SIEM),firewalls and unified threat management systems, intrusion detection andprevention, secure web gateways, secure email gateways, endpointprotection, web application protection, distributed denial of service,vulnerability management, security orchestration, and/or the like. Suchdetected vulnerabilities and anomalies reported include, but are notlimited to alerts and notifications on a user accessible interface (UI)for further action. Such auditable information includes but now excludespersonal identifiable information according to GDPR regulatory domain.

Another embodiment contemplated is a method to analyze, detectvulnerabilities and security anomalies in data storage by generating aunique digital representation of the target device and/or environmentand categorize the file metadata. Such a method includes using ablockchain environment as a distributed knowledge database and using adistributed approach to intelligence and machine learningimplementations. Such a data environment includes, but is not limitedto, cloud environments, such as Microsoft Office 365, Dropbox, GoogleDrive, Sharepoint, and/or the like. Such detected vulnerabilities andanomalies reported include, but are not limited to alerts andnotifications on a user accessible interface (UI) for further action.

Another embodiment contemplated is a method to analyze, detectvulnerabilities and security patch advisories by generating a uniquedigital representation of the target device and or environment andcategorize the file metadata. Such a method includes using a blockchainenvironment as a distributed knowledge database as a distributedapproach to intelligence and machine learning implementations toidentify key components to patch according to the scenarios an attacksurface of the objects. Such detected vulnerabilities and anomaliesreported include, but are not limited to alerts and notifications on auser accessible interface (UI) for further action.

Another embodiment contemplated is a method that allows the securitycommunity to share, test, deploy unknown vulnerabilities and anomaliesusing a peer review platform. Such a peer review platform include, butare not limited to, a blockchain network, peer to peer network, socialnetworks, and/or the like. Such unknown vulnerabilities and anomaliesinclude but not limited to zero day, ransomware, malware, criticalfailure, network attack, misconfiguration, and/or the like.

Another embodiment contemplated is a method that allows to share,analyze and enforced privacy policy regulations such as GDPR, optionalmanaged for and by company end user. Such information is shared within aclient side node that is installed, reviewed, and audit by user inbrowser directly connected, encrypted and shared with a blockchaincreated within the swarm for such use. Such information being generated,logged, and added to the blockchain can be reviewed, erased ordownloaded by any permission granted user according to ownership dataregulatory domain. Further, the method may allow the company end user tohandle, observe, analyze, and share their own personal identifiableinformation.

In some embodiments, a nonlimiting example of a system 100 operation formalware and its behavior is classified and stored on a block-chain typesystem, generating transactions and derivative behavior caused by thetarget systems. The matching hash or the malware is then distributedamong the peers devices and analytical engines to further detect and/orexplore the malware behavior. If any device detects similar malwaremetadata information, such node can alert, shutdown or notify the targetor connected system that originated such alarm. In another embodimentrelated to intrusion detection systems to detect if a given node has ananomaly through an outside intruder being stationed illegally in aclient environment, swarm intelligence 121 connected to the rule engine108 will employ techniques like PSO successfully for effective intrusiondetection systems. PSO helps to find the optimal solution for detectingintrusions in terms of Artificial Neural Networks (ANNs) by finding theoptimized values of weights of ANNs. The optimized ANN solutionidentifies intrusive and non-intrusive activities in the computernetwork. In a nutshell, Swarm Intelligence based techniques like PSO ismost promising techniques for developing an effective solution in thefield of Intrusion Detection and Fraud Detection combined with ANN usingArtificial Intelligence techniques.

It should be appreciated that this disclosure has a unique strength tosupport various applications that include, but are not limited to IoT,Malware and/or the like in a single integrated environment, whichdrastically enhances the speed of detecting threats, eliminates theredundant effort of searching similar threats in different applicationsindependently and reduces false positives as the system has theintegrated view of all security solutions.

While particular embodiments have been illustrated and described herein,it should be understood that various other changes and modifications maybe made without departing from the spirit and scope of the claimedsubject matter. Moreover, although various aspects of the claimedsubject matter have been described herein, such aspects need not beutilized in combination. It is therefore intended that the appendedclaims cover all such changes and modifications that are within thescope of the claimed subject matter.

What is claimed is:
 1. A method of detecting malware vulnerabilities ina computational environment, the method comprising the steps of:receiving, from a client environment, at least one input datadistributed among a plurality of nodes within a particular network;receiving, from at least one of the plurality of nodes, the at least oneinput data into a curator engine to convert the at least one input datainto a payload having at least one message header; receiving, from thecurator engine, the payload having the at least one message header intoa transaction engine; storing, from the transaction engine, the payloadhaving the at least one message header into a blockchain database;receiving and processing, by a rule engine, the payload having the atleast one message header to make a decision to transform or analyze thetransaction based on a predetermined set of rules; converting, by thecurator engine, the payload having the at least one message header intoa data file, evaluating, by an external malware analysis engine, thedata file; aggregating, by a data aggregator, the data file for aplurality of behavior models; converting, by the curator engine, thedata file into a valid message payload having a header; wherein theheader of the valid message payload is determined whether to be malware,by the rule engine, assigning a second transaction identification andstoring the determination prior to the rule engine rejecting the headerof the valid message payload or permitting the header of the validmessage payload as a validated message payload into the clientenvironment.
 2. The method of claim 1, wherein the step of evaluating bythe external malware analysis engine includes analyzing the data filefor a behavior, mapping the behavior, and outputting a signal of theexternal malware analysis engine indicating whether the data file ismalicious.
 3. The method of claim 2, further comprising the steps of:validating, by the rule engine, the mapped behavior against a pluralityof past behavior models and a knowledge database; and determining, bythe rule engine, an existence of malware, wherein if the existence ofmalware is present, the data file is rejected and a client userinterface is notified via an action engine, wherein if the existence ofmalware is not present, the data file is recorded in the blockchaindatabase and transferred to a swarm application program interface. 4.The method of claim 3, wherein the rule engine input is a swarmintelligence having a plurality of input data.
 5. The method of claim 4,wherein the swarm intelligence is configured to utilize particle swarmoptimization techniques.
 6. The method of claim 4, wherein the swarmintelligence comprises a plurality of nodes, each node having at leastone blockchain database and at least one smart contract.
 7. The methodof claim 6, wherein the plurality of nodes are in communication witheach other so to securely share information.
 8. The method of claim 3,wherein the plurality of past behavior models and the knowledge databaseinclude patterns in an operating system such as an audit log, an eventtracing, or a kernel driver that are not directly related to a malwaresample or the plurality of past behavior models and the knowledgedatabase include a plurality of anomalies in a human user behavior datanot related to devices that are inferred using a statistical analysisleading to determining a potential insider threat and a theft ofinternal data.
 9. A method of detecting vulnerabilities and anomalies ina computational environment, the method comprising the steps of:registering, by a unique identifier, an internet of things device to atransaction engine such that a unique signature is provided;determining, by the transaction engine, a plurality of data to becollected from the internet of things device; recording, by a blockchaindatabase, the unique signature; validating, by a rule engine, the uniquesignature so to make a decision regarding a plurality of firmware and aplurality of machine code associated with the internet of things devicebased on a predetermined set of rules; processing, by an action engine,the transaction from the rule engine; and alerting, by the actionengine, feedback to a client environment, wherein the plurality offirmware and machine code in the internet of things device is analyzedso to maintain enabled capabilities, shielding, and enforcing continuousworking order.
 10. The method of claim 9, wherein a rule engine input isa plurality of swarm intelligence data such that the plurality of swarmintelligence data comprises a plurality of nodes, each node having atleast one blockchain database and at least one smart contract, theplurality of nodes are in communication with each other so to securelyshare information, the plurality of swarm intelligence data isconfigured to utilize particle swarm optimization techniques.
 11. Asystem for enforcing privacy policy regulations in a computationalenvironment, the system comprising: a client user interface; a clientenvironment having a plurality of databases, a plurality of clientapplications, a curator engine, and an action engine, the plurality ofclient applications comprising a new user register and a new user event,the plurality of client applications is communicatively coupled to theplurality of databases, the curator engine is communicatively coupled toboth the client environment and the plurality of databases; a swarmintelligence having a transaction engine, a blockchain database, and arule engine, the swarm intelligence is communicatively coupled to theclient environment, the transaction engine is communicatively coupled tothe curator engine and to the blockchain database, the blockchaindatabase is communicatively coupled to the rule engine, the rule engineis communicatively coupled to the action engine, the action engine iscommunicatively coupled to the client user interface, wherein the systemis configured to execute and enforce a plurality of data traceabilityfrom an integrated system across a browser, a session, a webserver, orthe plurality of databases configured with a personal identifiableinformation by indexing the personal identifiable information from agenesis block such that a user is permitted to log, delete or encryptthe personal identifiable information according to policy laws.